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9th September 2019 


Dear Sir/Madam, 


DMA response to the ICO Data Sharing Code of Practice Consultation — September 2019 


The DMA is Europe’s largest trade body in the data and marketing industry, representing over 1,000 
data-driven companies across the UK. 


The DMA played a major role in the shaping of the GDPR data protection laws in the UK and EU and 
led the implementation in our industry as the trusted source for industry advice and guidance. 


The DMA continues a leading role in discussions around data, tech and Al, ethics, marketing and 
beyond. Our Value of Data campaign—led in partnership with Edinburgh University’s Design 
Informatics Department and the Bayes Centre—is leading the way in providing a place for discussions 
about the ethical use of data. 


The DMA code—by which all of our 1,000 members have to abide—ensures that business practice and 
treatment of customers is performed with the principles of transparency, accountability, privacy and 
trust in mind. 


The DMA receives complaints, monitors compliance and ensures that our members have the 
customer’s interests at the centre of what they do. The DMA monitors compliance to the code — 
initially upon membership application and then periodically throughout the organisation’s 
membership of the DMA. For further information on the DMA code, please visit 


https://dma.org.uk/the-dma-code). 


The consultation 

The DMA welcome the opportunity to provide feedback on the draft Data Sharing code of practice 
and would be happy to work with the ICO to ensure the new Code provides sound, practical 
guidance to all organisations whether big or small. 


Overall the draft Code is good but the DMA have comments on a number of sections. 


Summary -— page 4, third paragraph. 

The DMA is concerned about the final sentence of this paragraph. Setting carrying out a DPIA for all 
data sharing projects whatever their size as best practice would place unnecessary burdens on 
organisations and could lead to the process not being properly considered and followed when it is 
really needed. Many small scale projects will not need a DPIA, and suggesting that it is best practice 
to carry one out in every case could hamper small organisations who may decide against data 
sharing which would have benefited their organisation and their customers/supporters. 


Summary — page 5, 7“ paragraph 


The DMA notes the inclusion of “marketing agencies” in the examples of those who share databases 
or lists of individuals. As you state further on in the code, this Code covers the sharing of data by 
controllers and sharing between controllers and processors is excluded. Marketing agencies are 
more likely to be a processor in these circumstances and therefore their role in the transfer of 
databases or lists of data subjects is not covered by the guidance in this code. 


Data sharing covered by this Code — page 17 - Examples of real life data sharing activities 

The 3 example here, “a retailer provided customer details to a payment processing company’, is a 
controller to processor transfer of data and is therefore not covered by this Code, so should be 
removed. 


Deciding to share data — page 20 - What do we need to do? 
This again recommends carrying out a DPIA in all cases of data sharing. See our comments about this 
above. 


Lawful basis for sharing personal data — page 38 How do we determine which lawful basis is 
appropriate, 2" paragraph. 

There is some blurring of processes here. The DMA would suggest that you decide if a DPIA is 
appropriate in the particular case, as part of a DPIA is deciding on your lawful basis. If you decide 
that a DPIA is not appropriate, you would then consider the issue of lawful basis as a separate 
process. 


Security — page 49 — Are we still responsible after we’ve shared the data? First paragraph 
The DMA believe it would be good to include details about carrying out a security audit if you decide 
not to carry out a DPIA, as this will cover similar considerations. 


Sharing personal data in databases and lists — page 74 - How does data sharing apply to the 
acquisition or transfer of databases or lists. 

The example of organisations listed here again includes marketing agencies, who will usually be 
acting as a processor in these circumstances so the sharing of data with them would not be covered 
by the Code. 


Sharing personal data in databases and lists — page 75 - What must we do to ensure the database 
or list we are receiving is being shared in compliance with the law? 

Point 2 — “identify the lawful basis on which it was obtained” — the DMA would suggest adding the 
following to this point “and that any conditions relating to that lawful basis have been complied 
with, for e.g. if using legitimate interests that a LIA has been carried out” 


Point 5 — “check the records of consent, if relevant” — the DMA would suggest deleting “if relevant” 
and replacing with “if you are relying on consent”. 


Sharing personal data in databases and lists — page 75 - What else do we need to do? 

“Under Article 14 of the GDPR you must give privacy information to individuals whose data has been 
shared with you “within a reasonable period after obtaining the personal data, but at the latest 
within one month...” 


Article 14 contain three situations and timeframes within which privacy information must be given 
to individuals if you do not acquire the data from them directly, and this requirement is under Article 
14 (3) (a), which is likely to govern the circumstances surrounding the sharing of data. 


The DMA would suggest that this is make this clear by adding in the sub-section, and in addition add 
that if the individuals concerned have already been provided with that privacy information, say 
before the sharing took place, there is no requirement on the recipients of the shared data to 
provide this information. 


Sharing personal data in databases and lists — page 76 - How does data sharing interact with 
political campaigning? 4" paragraph 

“If you use a third party organisation to send out campaign materials on your behalf using your 
databases, you are sharing data with that external organisation” 


This again is sharing data with a processor, not with a controller as the third party is acting on your 
behalf and on your instructions, so this Code will not apply. 


Data ethics and data trusts — page 86 - Is it ethical to share this data? 

The DMA would suggest the mention of Codes of Practices that exist in various industries. The DMA 
Code puts the customer front and centre of any personal data considerations with its 5 principles of 
putting the customer first, respect privacy, be honest and fair, be diligent with data and take 
responsibility. 


Conclusion 

The DMA welcomes this guidance to help organisations, especially small and medium sized ones, to 
share data fairly and lawfully, and looks forward to working with the ICO to ensure there is clear and 
practical guidance for DMA members and the wider industry so they can comply with data 
protection requirements. 


Yours faithfully, 


DMA 


